Cyber Incident Victim: St. Luke's Health System

In late May 2022, St. Luke’s Health System was notified by a contracted business vendor about a cybersecurity incident impacting the vendor’s systems. The vendor provided statement processing and billing services to the healthcare organization under a formal agreement. Initial reports did not disclose the vendor’s identity, though subsequent updates from BoiseDev identified the third party as Kaye Smith. St. Luke’s confirmed the breach potentially affected patients and members associated with specific customers of the vendor. The healthcare system conducted an internal review following the vendor’s disclosure and identified 31,573 individuals whose information was compromised. This incident was reported to the U.S. Department of Health and Human Services (HHS) on August 2, 2022, though it only appeared on the official breach portal on August 18. Public awareness emerged in late July when KMVT first reported the incident, noting St. Luke’s acknowledgment of the event but absence of detailed notifications on its official website. DataBreaches.net attempted to contact St. Luke’s for clarification but received no immediate response, while imagery in KMVT’s coverage suggested potential involvement of St. Luke’s Magic Valley location.

The breach exposed personal information tied to billing and statement processing workflows, though specific data elements compromised were not detailed in available reports. St. Luke’s limited public communications indicated the vendor’s systems—not its own infrastructure—were the intrusion point. Impacted individuals were identified through the vendor’s customer data, with no evidence suggesting broader network infiltration across St. Luke’s systems. The organization did not publish a dedicated breach notice on its website despite media inquiries and third-party reporting timelines. Operational disruptions to patient care or billing services were not described in source materials. The delayed HHS portal listing versus the August 2 reporting date created a sixteen-day gap in public regulatory visibility. No attacker attribution, ransom demands, or data misuse evidence was disclosed in the available coverage. St. Luke’s reliance on vendor-provided incident details shaped its response, which centered on quantifying affected patients rather than describing technical containment measures by either party.